Saturday, April 30, 2011

How to get Personal Information from Morons

I block ads when I can, and here's a reason why: webspyapp.com. This is essentially a phishing site, designed to get people to give up person information. Here's the scam: offer a mark the ability to see who is searching for him. The mark clicks on the webspyapp link, and is taken to a page that asks him for his name and ZIP. I claimed to be Fred Snerdling with a UMBC ZIP:



When the mark enters his information, webspyapp claims to have found some people searching for the mark, but wants the mark's cell number:

I especially like the fuzzy images of people searching for Fred Snerdling at 21250--nice touch. I entered a fake cell number, but unfortunately they wanted a real one:


I considered using the cell number of a wrong number who rang me a couple times last week, but that would be bad--even if the phishers have the wrong name and ZIP, they would have some poor sucker's cell number, and she doesn't deserve that.

Sunday, April 10, 2011

Epsilon, No Delta

A number of organizations with which I have (or had) financial relations have recently sent e-mails saying they have lost some of my personal information. At first I was unconcerned, because the impression I got was that it was just my e-mail address, and it was just Best Buy, or just Best Buy and Verizon, or just Best Buy, Verizon, and TIAA-CREF, or, well, around the time I got the TIAA-CREF mail I started to get concerned. This is a major financial institution, and, one might hope, one not cavalier about my personal information.

Here is the list of companies that have notified me to date:
  • Best Buy, 4/4
  • Verizon, 4/5
  • TIAA-CREF, 4/6
  • Chase, 4/6
  • M&T Bank, 4/8
All of these organizations, and I'm sure others, are informing their customers that an apparently inept contractor called Epsilon has lost their e-mail addresses. The first thing to note is that the financial institutions were the slowest to inform me. This may be just coincidence, but it is easy to believe that Best Buy was more responsive than M&T Bank. Kudos of a wry sort to Best Buy.

So the bad guys have many e-mail addresses, and can connect individuals to accounts. So what? Well apparently some people are getting phishing mails claiming to be from organizations that have lost data through Epsilon. So what? Well, this will make it easier to tailor and target phishing attacks more precisely.

Clearly data leaks all the time. Excerpted from a recent posting by Martin McKeay: I’m no longer surprised when I go into an assessment and somewhere halfway through a conversation a manager says, “Wait a minute, why haven’t I haven’t heard of this data repository/network connection/export to sales before now?” But this is a shallower problem, not an inadvertent leak to marketing or sales, but an intentional transfer of data to an outside organization unable to protect the data.

The situation is exacerbated for Verizon customers since Verizon encourages users to log in to its site without SSL/TLS. So, if users think that a picture of a padlock and the word "secure" next to the login text boxes actually indicates anything they will be more vulnerable to phishing. Surprisingly, Verizon is the only organization from this list training users to ignore TLS. A few years ago this seemed more common, though I have just a very small sample here.

IMHO the Chase leak is the most egregious, since I have had no dealings with them since canceling my card in March 2008. I guess they consider me a potential future customer, but since I do not have a current relationship with them, it would be nice if they would delete my info. I managed to log in to my dormant Chase account, but cannot send them a "secure message" because every attempt results in "Error 500:", which looks like there should be a description after the error number. Yes, I remain unimpressed with the competence of Chase.

Friday, April 8, 2011

Useful "New" Firefox Feature

I am not a fan of GUI-based spellcheckers since it is so easy to miss a misspelling. I much prefer ispell within emacs. In particular, ispell does a great job (compared to any GUI I've seen) of suggesting alternatives, emacs and ispell together do a great job of accepting words for a session across multiple documents, and emacs understands various file formats and doesn't try to tell me that, for example, an HTML tag is not a valid English word. Well, it has long been a common opinion that GUIs are great for beginners but don't particularly reward more experienced users with better productivity. I particularly dislike spell checking within OpenOffice, since when adding to the dictionary one has to always specify which dictionary to save a word to, even if there is only one dictionary. Make the common case fast? I don't think that's a concept OpenOffice developers are familiar with.

So how can one make it less likely to miss misspellings before sending an e-mail, submitting a form, etc? Firefox 3.6 and newer has a nice feature that's a pain to enable, ui.SpellCheckerUnderlineStyle. See http://kb.mozillazine.org/Ui.SpellCheckerUnderlineStyle. I particularly like option 4, which places a double line under each misspelled word. But the article just cited does not give explicit instructions for enabling the feature.

1) Open about:config
2) Right click in the list of preferences and select new.
3) For the new preference name, use ui.SpellCheckerUnderlineStyle.
4) For the type, use integer.
5) For the value, use your preferred value from the MozillaZine article. 5 is the default, a wavy red line. My preference is 4, a double line.

Iceland: Do the Right Thing

Vote no. Corrupt bankers took down the financial system, European governments bailed the banks out, and now have presented Iceland with the bill. If Iceland refuses to pay, perhaps the British and Dutch governments will be motivated to pursue those actually responsible for the collapse, the wealthy, corrupt bankers.

http://www.guardian.co.uk/commentisfree/2011/apr/08/iceland-referendum-conspiracy-financiers